How to Block Ransomware in Windows 10 with Controlled Folder Access
Ransomware — software that scrambles files and demands a payment before unscrambling — has become quite the rage. Windows 10 takes measures to block ransomware on your device. While, it’s an easy way for Script Kiddies to monetize their malware, it’s definitely a situation no Windows 10 user wants to find herself in.
Microsoft has come up with a way to preemptively block many kinds of ransomware by simply restricting access to folders that contain files the ransomware may want to zap.
There’s just one problem. Restricting, or controlling, folder access is a pain in the neck — it blocks every program unless you specifically give a specific program access. So, for example, you can turn off access to your Documents folder but allow access to Word and Excel. That may work well until you want to run Notepad on a file in the Documents folder. Oh-oh.
That’s the reason why Microsoft doesn’t turn on Controlled Folder Access (CFA) by default. If you really, really want CFA, you have to dig deep and find it. If you do make the effort, the monkey’s on your back to (1) stick CFA on all the right folders and (2) allowlist any program that may need to use files in the CFAs folders.
To enable CFA, you need to jump through the following hoops:
- In the Cortana search bar, to the right of the Start button, type sec. At the top, tap or click Windows Defender Security Center.
- Tap or click the Virus & Threat Protection icon, scroll way down, and slide the Control Folder Access button to On.
Click Yes when asked if you want to allow the app to make changes to your device. The CFA settings screen appears.
- Click the Protected Folders link.You see a list of all folders protected by CFA — Documents, Pictures, Videos, Music, Desktop.
Realize that ransomware frequently attacks files in other locations.
- If you want to add another folder to the blocked list, click the Add a Protected Folder icon and navigate to and select the folder. Repeat as necessary.Note that Windows 10 has an automatically created (but not fully disclosed!) set of programs that it deems to be friendly.
- Click the back arrow in the upper-left corner to return to the window you saw previously.
- If you have any programs that need access to those folders, and the apps aren’t automatically identified as friendly, click the Allow an App through Controlled Folder Access link. Navigate in Explorer to the app that you want to allow, and then click Open.
The Windows 10 folder is added to the allowlist.
Testing Controlled Folder Access against Ransomware
We have tested Controlled Folder Access against ransomware samples. The good news is that Controlled Folder Access achieved what it was designed to do; successfully block ransomware from encrypting files located in protected folders.
The bad news is that while your protected folders are safe, other non-protected folders will still be encrypted, ransom notes will still be displayed, and other behavior will still continue.
This is because Controlled Folder Access is not designed to terminate detected ransomware, but rather protect a folder from ANY unauthorized modifications. This includes any program not in a white list, which could be 3rd party text editors, word processing applications, or photo editing programs.
Also, while testing Controlled Folder Access, an interesting side-effect was discovered when folders are whitelisted in Windows Defender. When executables are located in a whitelisted folder and attempt to modify a file in a protected folder, Controlled Folder Access will block the modification, but not display a toast alert notifying you that the program was blocked.
While we highly recommend that everyone use Controlled Folder Access, it should not be considered a full-fledged anti-ransomware feature, but more like a data protection feature. While in some ways this is the same, in many ways it is different.
„Ransomware is more about manipulating vulnerabilities in human psychology than the adversary's technological sophistication.“